Changelog

Improved

• Merchant lifecycle notifications now include richer Shopify shop profile context, giving support a clearer view of installs, uninstalls, billing plan, region, and onboarding state without exposing merchant details in public analytics.

Added

• Eventabee is now publicly available on the Shopify App Store at apps.shopify.com/eventabee. Any Shopify merchant can install directly, no invite link required.
• Public pricing on the listing — Free, Pro ($49/mo), and Business ($199/mo). Every paid tier includes a 7-day free trial.
• Shopify-managed billing on every tier. One invoice, one place to cancel or downgrade.

Improved

• Onboarding flow rewritten for self-serve installs: post-install you land on a 4-step setup checklist (theme embed → consent → first destination → verify) with copy-paste verification commands.
• Listing-aligned destination matrix on the Connect a destination screen, so the in-app catalog mirrors what merchants saw before installing.
• "Beta" framing has been removed across the marketing site, in-app empty states, and FAQ. Eventabee is GA.

Improved

• Storefront-detected experiment_viewed events now carry the same identifier set as other pixel events, so destinations score them on par for event quality.

Fixed

• Events filtered out for reasons other than consent (e.g. a destination that doesn't support a given event type) were mis-badged as "blocked by consent" in the event viewer. They now show as "filtered" with the actual reason.

Added

• Embedded read-only summary inside Shopify Admin — Performance hero metrics and quick deep-link to the full standalone dashboard.
• Click-through DPA at first install. Acceptance is recorded against your shop and DPA version.
• "Request a destination" form on every paid tier — submit a vendor and we build the connector for everyone.
• Per-token revoke for shareable Impact Report URLs. The admin lists every active share with a Revoke button; revoked URLs return 404 immediately.
• Public privacy disclosure guide at honeybound.co with copy-paste templates merchants can drop into their privacy policies.

Improved

• DSAR auto-response is now opt-in and only fires on deterministic identity matches; best-effort matches always queue for manual review. Default is off.
• Cross-domain attribution now requires explicit recorded marketing consent. Every event carries an `attribution_method` field visible to destinations and DSAR flows.
• Self-serve custom-pixel destinations have been retired in favour of the new request flow. Every destination is a first-party connector with a vendor DPA in place.
• Annual pricing remains 20% off monthly billing for Pro and Business.
• Meta Event Match Quality (EMQ) is shown as the Meta-returned value; TikTok and Google Ads scores are now labelled "Event Quality" with an inline note that they are eventabee-synthesized from delivery and field-coverage signals.

Fixed

• Trial eligibility is now enforced consistently per shop, so returning merchants see the right paid-plan state after resubscribing.

Added

• Run eventabee on any domain — headless storefronts, customer portals, marketing sites, multi-region deployments — via a new browser SDK. Business plan.
• Per-domain public keys with rotation and revocation. Add and remove domains from the admin without touching storefront code. Business plan.
• Server-side cross-domain visitor stitching: known-identity linking, cross-subdomain cookies, URL-linker hash-fragment bridging, and a full 90-day decision audit log. Available on request.
• Standalone consent banner that runs on any domain — 6 layouts, geo-targeted opt-in, opt-out, and implied modes, automatic Shopify Customer Privacy API sync where present. Business plan.
• External-domain health page: SDK error-rate trends, rejection stream, and a diagnose-a-domain tool to pinpoint misconfigured installs. Business plan.
• Schema.org product page auto-detection: the external-domain SDK emits product_viewed events automatically when JSON-LD product data is present, with no merchant code required.
• Performance dashboard (Pro and up) showing how much eventabee is moving your ROAS — server-side recovery rate, Event Match Quality uplift since install, and attribution completeness, with an actionable opportunities banner ranked by estimated impact.
• Per-filter-reason delivery drill-down with a destination capability matrix: see exactly which destinations dropped which events and why.
• Per-destination event quality drill-down with field-presence bars, ranked limiting factors, and cohort-backed impact estimates like "+X EMQ if you bring phone coverage to 80%". Business plan.
• Monthly impact report — print-perfect PDF download, 30-day shareable read-only URL, and configurable multi-email auto-distribution so reports land in every stakeholder's inbox. Business plan.
• Synthesized Event Match Quality scores for TikTok and Google Ads, alongside the existing Meta EMQ.

Improved

• Event Quality and Recovery moved under the new Performance section at /admin/performance/. Previous URLs 301-redirect for one release cycle.

Added

• Annual billing: Pro at $39/mo (billed annually) and Business at $159/mo (billed annually) — 20% off monthly rates.
• 7-day free trial on Pro and Business for first-time paid subscribers.

Added

• Optimizely is now the fifth auto-detected A/B testing platform, alongside Kameleoon, VWO, Visually A/B, and GTM dataLayer. Experiment context and `experiment_viewed` events forward to all your destinations automatically.
• Three-tier pricing: Free · Pro ($49) · Business ($199). No volume caps at any tier — eventabee never charges you for more events or orders.
• Business plan: external-domain tracking support for headless storefronts, customer portals, and marketing sites.

Improved

• DSAR and audit export are now generally available on their respective plan tiers (Business and Pro).

Improved

• DSAR review page now shows per-event match detail grouped by confidence level (HIGH / MEDIUM / LOW). Merchants can scan which specific events matched via which predicate before releasing — no need to download the bundle ZIP for routine review. Capped at the first 500 matches; larger DSARs fall back to the bundle's identity_graph.json for the full list.

Added

• DSAR request fulfillment (Business): generate a tamper-evident bundle of every piece of data eventabee holds on a subject, keyed on email with optional phone or Shopify customer ID. Includes an identity-resolution graph that shows which predicate matched which row — defensible under GDPR Article 15 audit. Async generation, 7-day signed download links, 30-day retention.

Added

• A/B test capture (Business): automatically detect Kameleoon on your storefront, or any A/B tool pushing to GTM dataLayer. Every event carries active variant context to your destinations. A new experiment_viewed event fires once per session per variant. PostHog receives native $experiment_started events; Segment gets "Experiment Viewed" spec events; Meta and other destinations get the variant context as custom data.
• Kameleoon and Visually A/B added to the script-block catalog as analytics-category tools — they're consent-gated automatically.

Improved

• Privacy mode's JSON payload blur is now per-value instead of per-block. You still see the payload structure — keys, types, punctuation — and only the PII values (emails, IPs, phones, names, address fields) blur. Hover any blurred value to reveal. Makes in-product payload debugging readable during recordings.

Added

• VWO and Visually A/B now join Kameleoon as auto-detected A/B testing integrations. Every destination you've connected — Google Ads, TikTok, Pinterest, Snapchat, Klaviyo, Meta, PostHog, Segment, and custom webhooks — receives variant context on every event.
• A/B integrations admin page at Configuration → A/B testing: see which tools eventabee is detecting on your storefront, with a per-tool kill switch if you ever need to opt out.

Improved

• Faster A/B testing admin page: dedicated experiments index means the Detected Tools query is instant regardless of event volume.
• Destinations that support a single experiment-name field (Meta, Google Ads, TikTok, Pinterest, Snapchat) now receive a pipe-separated list when a visitor is in multiple concurrent experiments.
• Recent experiment_viewed events now visible on the A/B integrations admin page.

Improved

• Identity resolution summary card on the review page is expanded by default and explains where per-event match detail lives (the bundle's identity_graph.json).

Fixed

• Releasing a DSAR from the review page now correctly transitions from `awaiting_review` to `released` (previously was rejected as "already released or in invalid state" for webhook-originated requests).
• Customer release and refusal emails now show your configured DSAR notification email as the fraud-reporting contact (previously showed a placeholder).
• Refuse action now explicitly blocks terminal-state transitions (can't refuse an already-released or expired request).

Fixed

• Merchants now receive eventabee notification emails for DSAR review, auto-release countdown, and SLA reminders. Set your notification email in DSAR Settings. Requires Business plan with DSAR enabled.

Added

• Shopify DSAR webhooks now auto-build a tamper-evident bundle the moment the customer submits. Merchants review, release, or refuse with structured reasons; every decision is recorded in an immutable audit log suitable for compliance defense.
• Business merchants can opt into full-auto fulfilment: all-HIGH-confidence identity matches release to the customer after a 24-hour safety window; lower-confidence matches always route to manual review.

Improved

• DSAR identity resolution now tags each match with a confidence level (HIGH / MEDIUM / LOW), surfaced in-product and in the bundle's identity_graph.json.

Added

• Privacy mode: a sidebar toggle blurs customer emails, IPs, phone numbers, and identifiers across the entire admin UI. Hover or keyboard-focus any blurred field to reveal its contents. Persists per-browser. Designed for safe screen recordings and demos — enable it before you hit record, everything sensitive stays masked until you deliberately hover.

Added

• Consent receipts now look up by email (Business). DSAR response path: a merchant can paste a customer's email and get that visitor's consent timeline across every device they've used. Forward-only: receipts created before this release can still be looked up by visitor hash.

Improved

• Consent receipts page now renders per-visitor receipts as a chronological timeline with per-category change highlights, making it easy to see at a glance how a visitor's consent evolved over time.

Added

• Global Privacy Control: in regions where it's legally required, the banner now automatically respects a visitor's GPC signal. Configurable per shop.
• Audit export (Pro and Business): download a tamper-evident bundle of your consent receipts, analytics, script decisions, and cookie records — ready to hand to counsel or a regulator.

Added

• Cookie scanner (Business): automatically detects the cookies, localStorage keys, and sessionStorage keys your site drops, grouped by the script that set them. Publish a live cookie declaration on your policy page with one line of theme code.

Improved

• Aggressive mode (Business) now blocks hardcoded trackers in your theme, not just scripts our observer catches after they load. Toggle it on from the Scripts page.

Added

• Script enforcement log: every allow/block decision is recorded with its consent context and surfaced in a new Activity tab on the Scripts page, plus a per-script "Recent decisions" drawer. Retained 30 days on Pro, 180 days on Business.

Improved

• Consent banner loads earlier in `<head>` for more reliable script gating.

Fixed

• Migrating a hardcoded script now correctly clears the "Hardcoded" badge.

Added

• Consent script control: discover and classify third-party scripts running on your storefront; block them until consent is given.

Added

• Initial beta release
• Server-side event capture from Web Pixel
• Geo-aware consent banner (Theme App Embed)
• Meta, Google, TikTok, Klaviyo, Pinterest, Snapchat, Segment, PostHog, generic webhook, and custom destinations
• 30-day consent backfill
• Per-destination retry and dead-letter queue